What is 'safe harbour' the EU Declared Invalid?

Uploaded on 2015-10-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

The European Court of Justice has ruled that the “safe harbour” agreement that allowed the transfer of European citizens data to the US is no longer valid. But what does that mean for the Facebooks, Googles and Microsofts of this world?

In a two-year-old case forced to the EU’s highest court by Austrian privacy campaigner Max Schrems, the EUCJ ruled that the European Commission’s trans-Atlantic data protection agreement that went into force in 2000 was invalid because it does not adequately protect consumers in the wake of the Snowden revelations.

What was the ‘safe harbour’ agreement?

EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location, which is deemed to have “adequate” privacy protections in line with those of the EU. The safe harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.It allowed companies such as Facebook to self-certify that they would protect EU citizens’ data when transferred and stored within US data centres. Patrick Van Eecke, co-head of the global privacy practice DLA Piper said: “The advantage of safe harbour was that it functioned as a kind of ‘one stop shop’ allowing for the export of personal data to the US, whoever in Europe it came from, without the need to ask for consent, or to enter into bilateral agreements, over and over again.”

Can data still be transferred to the US?

Now that the 2000 agreement has been called invalid, American companies – including Google, Facebook, Apple and Microsoft – can no longer rely on self-certification and must seek to strike “model contract clauses” in each case. These agreements authorise the transfer of data outside of Europe. Monique Goyens, director general of the European Consumer Organisation said: “In essence, if Facebook, Google et al. wish to continue sending Europeans’ personal data over the Atlantic they will just have to guarantee an adequate level of protection in line with EU rules.”
The impact on large US technology companies and their operations within the EU is likely to be limited to a large amount of paperwork. Many will already have model contract clauses already drawn up. Others may be forced to stop the transfer of data to the US until they have.
Many US companies have established or are in the process of building EU-based data centres to handle data for EU citizens, including Facebook, Apple and Google. The search company, for instance, lists four data centres within Europe, including one in Ireland.

What about Facebook?

For Facebook, which has been placed at the centre of this case by Schrems, the decision means that the Irish data protection authority (DPA) will be forced to investigate the Austrian’s claims and Facebook’s data protection practices.
“[The Irish DPA must]decide whether ... transfer of the data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data,” the EUCJ said.

Will I notice anything different?

The impact on users in the short term is unlikely to be obvious. The dissolution of the agreement will, in theory, ensure better data protection for users’ personal information going forward. It may also help stop the US government from being able to gain access to user data from the EU.
Sites and services such as Facebook are highly unlikely to be disrupted to any meaningful level. But it may open the door to further probes, complaints and lawsuits from users and data regulators.

What about cloud services?

The companies most affected are likely to be smaller, less financially and technologically able companies. Many use US-based cloud services to store or process data that they could not do themselves. It is the 21st century equivalent of outsourcing. Those companies will have to abide by the same systems as Facebook and Google, agreeing model contract clauses and ensuring that the service they are using, such as Amazon’s web services, also complies with data protection regulations. Despite being standard and essentially fixed agreements, getting them approved before transferring data will be both a financial and administrative burden.

Will a new safe harbour agreement be needed?

The ruling did not come completely out of the blue – it’s a ratification of the EU’s Advocate General’s opinion on Safe Harbour – but was not expected quite so soon. A new safe harbour agreement is currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. The EU has been trying to limit the US government’s access to EU citizens’ data stored in the US and to allow EU citizens to sue US companies in US courts should they misuse their data. The EU has been using the threat of vetoing future trade agreements as a stick, but an agreement has yet to be struck. The new ruling is likely to light a fire under the proceedings as a new agreement is needed to help lubricate international trade in services.Some analysts see the EUCJ’s ruling as likely to hurt, not help, the new safe harbour negotiations. Van Eecke: “By tweaking and fine-tuning the existing safe harbour system and adding a layer of solid enforcement we could come to a workable solution. This is exactly what the government officials are working on, but which now risks to be impeded by the court’s decision.”

What happens if one can’t be made?

Should the US attempt to derail a new safe harbour agreement, it is US companies aiming to expand beyond US borders that are likely to be impacted. European companies may also see access to advanced cloud services restricted, although the move to data centres situated in Europe will ease the situation. In the meantime encryption may hold the answer to maintaining data transfer while a new agreement is put in place. Nigel Hawthorn, from cloud security company Skyhigh Networks, said: “Organisations need to investigate technologies such as encryption or risk being dragged through the courts by privacy advocates, customers or employees. Tokenising or encrypting data flows before they are sent to the cloud, and keeping the keys on premise, means all of these issues disappear. There is no ‘personal’ data in the cloud service once it has been encrypted or tokenised.”

Guardian

 

« Bitcoin - It's Uncomplicated
White House Backs Off Encryption »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Ripjar

Ripjar

Ripjar is a global company of talented technologists, data scientists and analysts designing products that will change the way criminal activities are detected and prevented.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Wibu-Systems

Wibu-Systems

Wibu-Systems is a leading provider of solutions for the Digital Rights Management (DRM) and anti-piracy industry.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

Crypto4A Technologies

Crypto4A Technologies

Crypto4A quantum-ready cybersecurity solutions significantly improve protection for Cloud, loT, Blockchain, V2X, government and military application deployments.

CryptoCurrency Certification Consortium (C4)

CryptoCurrency Certification Consortium (C4)

The CryptoCurrency Certification Consortium is a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services.

Tesserent

Tesserent

Tesserent (formerly Pure Security) is a full-service cybersecurity solutions provider. We partner with clients across Australia and New Zealand in the protection of their digital assets.

CyberSheath Services International

CyberSheath Services International

CyberSheath integrates your compliance and threat mitigation efforts and eliminates redundant security practices that don’t improve and in fact might probably weaken your security posture.

White Cloud Security

White Cloud Security

White Cloud is a cloud-based Application Trust-Listing security service that prevents unauthorized programs from running on your computers.

Thoma Bravo

Thoma Bravo

Thoma Bravo is a leading private equity firm with a 40+ year history and a focus on investing in software and technology companies.

iON United

iON United

iON United is a full-service IT security solutions provider and one of the most trusted names in cybersecurity in Canada.

Prescient Solutions

Prescient Solutions

Prescient Solutions is a managed services provider, using a cloud-based model to provide IT solutions to small, mid-sized, global organizations and government entities.

Obscure Technologies

Obscure Technologies

Obscure Technologies is a firm of experts, specialised in brokering the best security solutions to market.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Anch.AI

Anch.AI

Anch.AI is an Ethical AI Governance platform that helps you comply with EU regulations and avoid risks and penalties when developing and using AI as part of your business.